DFARS 7021 Clause 2.0: DoD Releases Proposed Rule Updating CMMC Clause
Client Alert | 2 min read | 08.20.24
On August 15, 2024, the Department of Defense (“DoD”) released the long-awaited proposed rule (“August 2024 Proposed Rule”), updating Defense Federal Acquisition Regulation Supplement (“DFARS”) Clause 252.204-7021 (the “7021 Clause”), which, when final, will initiate the phased implementation of Cybersecurity Maturity Model Certification 2.0 (“CMMC”) requirements into DoD contracts. The Clause will require every defense contractor that handles Federal Contract Information (“FCI”) or Controlled Unclassified Information (“CUI”) to assess and certify compliance with select CMMC security requirements. The August 2024 Proposed Rule introduces several distinct changes to the 7021 Clause published by DoD in January 2023, including:
- Instructing Contracting Officers to fill in the required CMMC Level in each in-scope DoD contract.
- Requiring contractors to “maintain the CMMC level required by [the] contract for the duration of the contract for all information systems” that handle FCI or CUI.
- Requiring contractors to notify the Contracting Officer within 72 hours if there are any “lapses in information security” or changes to the status of the CMMC certification—including in self-assessment certification.
- Requiring contractors to affirm “continuous compliance” on an annual basis or when changes to the status of their CMMC certifications occur.
- Requiring that contractors “ensure” that subcontractors have current CMMC certificates or self-assessments at the required flowdown level.
Heightened cybersecurity requirements and greater scrutiny on compliance will increase risks and potential consequences for defense contractors, particularly in the context of the Department of Justice’s Civil Cyber Fraud Initiative and False Claims Act litigation. Thus, contractors need to be prepared for the upcoming implementation of CMMC. Comments on the proposed rule will be accepted for 60 days.
The 7021 Clause has been dormant during the CMMC rulemaking process, but DoD has stated that it will become active and begin appearing in DoD contracts when the August 2024 Proposed Rule is finalized. However, it is likely that not all contractors will be required to fully comply with all CMMC requirements immediately. The August 2024 Proposed Rule affirms that, as outlined in DoD’s December 2023 CMMC Proposed Rule, CMMC requirements are slated to roll out to contractors in phases over a three year period.
Contacts
Insights
Client Alert | 4 min read | 06.25.26
Twin Executive Orders Seek to Spur Quantum Leap in Technology and Cybersecurity
On June 22, 2026, President Trump signed two executive orders, “Securing the Nation Against Advanced Cryptographic Attacks” (Quantum Security EO) and “Ushering in the Next Frontier of Quantum Innovation” (Quantum Innovation EO), marking the most significant federal action on quantum technology since the Quantum Computing Cybersecurity Preparedness Act of 2022, which directed agencies to harden their information systems against quantum-enabled hacking. The orders seek to speed the development of quantum computers, which are advanced processors that can calculate multiple possibilities simultaneously and thus solve problems exponentially faster than traditional computers. At the same time, the orders look to protect against the danger that quantum technology can “break” traditional encryption by easily decoding it. Of particular note for government contractors, the Quantum Security EO directs agencies to update federal acquisition regulations to require contractors by 2031 to adopt information processing standards that resist quantum-enabled codebreaking.
Client Alert | 7 min read | 06.24.26
Client Alert | 3 min read | 06.24.26
Client Alert | 4 min read | 06.23.26
EPA Hands Over AI Data Center Regulation to States and Communities to Develop Best Practices
